Security

How we protect your board's data. Last updated: July 2026.

Your board's records, minutes, disclosures, and members' information are sensitive. We built NonprofitBOD to protect them with sensible, modern security practices. This page describes what we do today. We are an independent, early-stage product and are transparent about our posture rather than overstating it.

Data in transit

All traffic to NonprofitBOD is encrypted with HTTPS (TLS). We enforce HTTPS with HSTS so browsers refuse to connect insecurely.

Data at rest

Sensitive secrets, such as integration API keys and access tokens, are encrypted at rest using platform data-protection keys, not stored in plaintext. We never store your board members' passwords, because there are none (see below).

Passwordless authentication

Sign-in is passwordless: we email a secure, single-use, time-limited link. There is no password to guess, reuse, phish, or leak. Sign-in links and tokens are stored only as one-way hashes, and are consumed atomically so a link cannot be redeemed twice. Sessions use hardened cookies (HttpOnly, Secure, SameSite).

Access control and tenant isolation

Every board is isolated. A request only ever returns data for boards you belong to, and sensitive actions are additionally restricted by role (for example, only an Executive Director or Chair can manage members or settings). Programmatic access (our AI assistant integration) uses scoped, revocable tokens.

Application hardening

  • A strict Content-Security-Policy plus security response headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy).
  • Rate limiting on sign-in, invitations, and billing endpoints to resist abuse.
  • PKCE on our OAuth authorization flow, single-use authorization codes, and refresh-token rotation.
  • Uploaded images are validated by content, not just file extension, to prevent disguised-file attacks.
  • Open-redirect protection on all post-sign-in redirects.

Payments

Payments are processed by Stripe, a PCI-certified provider. NonprofitBOD never sees or stores full card numbers.

Your data is yours

You own your board's data and can export a complete copy at any time from within the app. On account deletion, we delete or de-identify your data in line with our Privacy Policy.

Subprocessors

We rely on a small set of vetted service providers (for payments, email delivery, image hosting, optional AI features, and analytics). They are listed in our Privacy Policy.

Responsible disclosure

If you believe you have found a security issue, please email [email protected] with the details. We appreciate responsible disclosure and will work with you to resolve valid issues promptly. Please do not publicly disclose an issue before we have had a chance to address it.

On certifications

We do not yet hold formal certifications such as SOC 2. We would rather tell you plainly what we do than imply a certification we have not earned. As we grow, formal audits are on our roadmap; if your organization requires specific assurances, contact us at [email protected] and we will share what we can.

See also our Privacy Policy and Terms of Service.

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please reload the page.